Skip to content

Commit

Permalink
nixos/conduwuit: init
Browse files Browse the repository at this point in the history
  • Loading branch information
@niklaskorz
niklaskorz committed Nov 23, 2024
1 parent e8c20f2 commit 13ce2f9
Show file tree
Hide file tree
Showing 6 changed files with 368 additions and 4 deletions.
2 changes: 1 addition & 1 deletion nixos/doc/manual/release-notes/rl-2505.section.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

- Create the first release note entry in this section!
- [Conduwuit](https://conduwuit.puppyirl.gay/), a federated chat server implementing the Matrix protocol, forked from Conduit. Available as [services.conduwuit](options.html#opt-services.conduwuit.enable).

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

Expand Down
1 change: 1 addition & 0 deletions nixos/modules/module-list.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -704,6 +704,7 @@
./services/matrix/appservice-discord.nix
./services/matrix/appservice-irc.nix
./services/matrix/conduit.nix
./services/matrix/conduwuit.nix
./services/matrix/dendrite.nix
./services/matrix/hebbot.nix
./services/matrix/hookshot.nix
Expand Down
264 changes: 264 additions & 0 deletions nixos/modules/services/matrix/conduwuit.nix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,264 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.conduwuit;

format = pkgs.formats.toml { };
# TOML does not allow null values, so we just omit those fields
filteredSettings = lib.converge (lib.filterAttrsRecursive (_: v: v != null)) cfg.settings;
configFile = format.generate "conduwuit.toml" filteredSettings;
in
{
meta.maintainers = with lib.maintainers; [ niklaskorz ];
options.services.conduwuit = {
enable = lib.mkEnableOption "conduwuit";

extraEnvironment = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
description = "Extra Environment variables to pass to the conduwuit server.";
default = { };
example = {
RUST_BACKTRACE = "yes";
};
};

package = lib.mkPackageOption pkgs "conduwuit" { };

settings = lib.mkOption {
type = lib.types.submodule {
freeformType = format.type;
options = {
global.server_name = lib.mkOption {
type = lib.types.nonEmptyStr;
default = "";
example = "example.com";
description = "The server_name is the name of this server. It is used as a suffix for user # and room ids.";
};
global.address = lib.mkOption {
type = lib.types.nullOr (
lib.types.oneOf [
lib.types.nonEmptyStr
(lib.types.listOf lib.types.nonEmptyStr)
]
);
default = null;
description = ''
Address (IPv4 or IPv6) to listen on for connections by the reverse proxy/tls terminator.
If set to `null`, conduwuit will listen on IPv4 and IPv6 localhost.
Must be `null` if `unix_socket_path` is set.
To listen on multiple addresses, specify a list. For example:
`[ "127.0.0.1" "::1" ]`
'';
};
global.port = lib.mkOption {
type = lib.types.oneOf [
lib.types.port
(lib.types.listOf lib.types.port)
];
default = 6167;
description = "The port(s) conduwuit will be running on. You need to set up a reverse proxy in your web server (e.g. apache or nginx), so all requests to /_matrix on port 443 and 8448 will be forwarded to the conduwuit instance running on this port";
};
global.unix_socket_path = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = null;
description = ''
Listen on a UNIX socket at the specified path. If listening on a UNIX socket,
listening on an address will be disabled. The `address` option must be set to
`null` (the default value). You must add your reverse proxy to the `conduwuit`
group.
This will automatically disable the `DynamicUser` systemd feature and add a static user/group
to your system since this is the intended way how unix sockets should be used with conduwuit.
'';
};
global.unix_socket_perms = lib.mkOption {
type = lib.types.ints.positive;
default = 660;
description = "The default permissions (in octal) to create the UNIX socket with.";
};
global.max_request_size = lib.mkOption {
type = lib.types.ints.positive;
default = 20000000;
description = "Max request size in bytes. Don't forget to also change it in the proxy.";
};
global.allow_registration = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether new users can register on this server.
If set to true without a token configured, users can register with no
form of 2nd-step only if you set
`yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` to
true in your config.
If you would like registration only via token reg, please configure
`registration_token` or `registration_token_file`.
'';
};
global.allow_encryption = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Whether new encrypted rooms can be created. Note: existing rooms will continue to work.";
};
global.allow_federation = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Whether this server federates with other servers.
'';
};
global.trusted_servers = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ "matrix.org" ];
description = ''
Servers listed here will be used to gather public keys of other servers
(notary trusted key servers).
Currently, conduwuit doesn't support inbound batched key requests, so
this list should only contain other Synapse servers.
Example: `[ "matrix.org" "constellatory.net" "tchncs.de" ]`
'';
};
global.database_path = lib.mkOption {
type = lib.types.path;
default = "/var/lib/conduwuit/";
description = ''
Path to the conduwuit database, the directory where conduwuit will save its data.
To change this value the DynamicUser feature has to be disabled for the conduwuit
systemd service.
'';
};
global.allow_check_for_updates = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
If enabled, conduwuit will send a simple GET request periodically to
<https://pupbrain.dev/check-for-updates/stable> for any new announcements made.
Despite the name, this is not an update check endpoint, it is simply an announcement check endpoint.
Disabled by default.
'';
};
};
};
default = { };
description = ''
Generates the conduwuit.toml configuration file. Refer to
<https://conduwuit.puppyirl.gay/configuration.html>
for details on supported values.
Note that database_path can not be edited because the service's reliance on systemd StateDir.
'';
};
};

config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.settings.global.unix_socket_path == null || cfg.settings.global.address == null;
message = ''
In `services.conduwuit.settings.global`, `unix_socket_path` and `address` cannot be set at the
same time.
You can either listen on an IP address or a UNIX socket, but not both.
Leave one of the two options unset or explicitly set them to `null`.
'';
}
{
assertion = config.systemd.services.conduwuit.serviceConfig.DynamicUser -> cfg.settings.global.database_path == "/var/lib/conduwuit";
message = ''
To change `services.conduwuit.settings.global.database_path`
`systemd.services.conduwuit.serviceConfig.DynamicUser` has to be disabled
'';
}
];

users = lib.mkIf (cfg.settings.global.unix_socket_path != null) {
groups.conduwuit = { };
users.conduwuit = {
group = "conduwuit";
home = cfg.settings.global.database_path;
useDefaultShell = true;
};
};

systemd.services.conduwuit = {
description = "Conduwuit Matrix Server";
documentation = [ "https://conduwuit.puppyirl.gay/" ];
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
environment = lib.mkMerge ([
{ CONDUWUIT_CONFIG = configFile; }
cfg.extraEnvironment
]);
startLimitBurst = 5;
startLimitIntervalSec = 60;
serviceConfig = {
DynamicUser = cfg.settings.global.unix_socket_path == null;
User = "conduwuit";
Group = "conduwuit";

DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
PrivateIPC = true;
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@resources"
"~@clock"
"@debug"
"@module"
"@mount"
"@reboot"
"@swap"
"@cpu-emulation"
"@obsolete"
"@timer"
"@chown"
"@setuid"
"@privileged"
"@keyring"
"@ipc"
];
SystemCallErrorNumber = "EPERM";

StateDirectory = "conduwuit";
StateDirectoryMode = "0700";
RuntimeDirectory = "conduwuit";
RuntimeDirectoryMode = "0750";

ExecStart = lib.getExe cfg.package;
Restart = "on-failure";
RestartSec = 10;
TimeoutStopSec = "4m";
TimeoutStartSec = "4m";
};
};
};
}
1 change: 1 addition & 0 deletions nixos/tests/all-tests.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,7 @@ in {
coder = handleTest ./coder.nix {};
collectd = handleTest ./collectd.nix {};
commafeed = handleTest ./commafeed.nix {};
conduwuit = handleTest ./matrix/conduwuit.nix {};
connman = handleTest ./connman.nix {};
consul = handleTest ./consul.nix {};
consul-template = handleTest ./consul-template.nix {};
Expand Down
94 changes: 94 additions & 0 deletions nixos/tests/matrix/conduwuit.nix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
import ../make-test-python.nix (
{ pkgs, lib, ... }:
let
name = "conduwuit";
in
{
name = "conduwuit";

nodes = {
conduwuit = args: {
services.conduwuit = {
enable = true;
settings.global = {
server_name = name;
address = "0.0.0.0";
allow_registration = true;
yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true;
};
extraEnvironment.RUST_BACKTRACE = "yes";
};
networking.firewall.allowedTCPPorts = [ 6167 ];
};
client =
{ pkgs, ... }:
{
environment.systemPackages = [
(pkgs.writers.writePython3Bin "do_test" { libraries = [ pkgs.python3Packages.matrix-nio ]; } ''
import asyncio
from nio import AsyncClient
async def main() -> None:
# Connect to conduwuit
client = AsyncClient("http://conduwuit:6167", "alice")
# Register as user alice
response = await client.register("alice", "my-secret-password")
# Log in as user alice
response = await client.login("my-secret-password")
# Create a new room
response = await client.room_create(federate=False)
room_id = response.room_id
# Join the room
response = await client.join(room_id)
# Send a message to the room
response = await client.room_send(
room_id=room_id,
message_type="m.room.message",
content={
"msgtype": "m.text",
"body": "Hello conduwuit!"
}
)
# Sync responses
response = await client.sync(timeout=30000)
# Check the message was received by conduwuit
last_message = response.rooms.join[room_id].timeline.events[-1].body
assert last_message == "Hello conduwuit!"
# Leave the room
response = await client.room_leave(room_id)
# Close the client
await client.close()
asyncio.get_event_loop().run_until_complete(main())
'')
];
};
};

testScript = ''
start_all()
with subtest("start conduwuit"):
conduwuit.wait_for_unit("conduwuit.service")
conduwuit.wait_for_open_port(6167)
with subtest("ensure messages can be exchanged"):
client.succeed("do_test")
'';

meta.maintainers = with lib.maintainers; [
niklaskorz
];
}
)
Loading

0 comments on commit 13ce2f9

Please sign in to comment.